Firewall not responding to virtual IPs - resolved… sort of
-
I've just swapped an old firewall out for a new pfsense firewall, and the new box is not responding to any requests on it's virtual IPs. I had tested this in my office and it was working fine, though I'm using a different set of IPs now.
I'ce created a rule so the firewall responds to pings from outside. When I ping the IP of the WAN interface, it responds. When I ping any of the other IPs, I get nothing. I changed the IP on the WAN interface to other of the others in my block, and then it responds on the new IP (which was previously mapped virtual). Change it back, still nothing on the virtual IPs.
I have set them type Proxy ARP, but to be honest I don't really know what that means, and haven't been able to find much documentation on it.
Right now, I'm in a bind. I've got a small window of time to get this firewall up, or else I have to put the old one back in.
-
The firewall will not respond to pings on VIPs. Have you tried a port-forward or 1-1 NAT using the VIPs? It's possible that everything is working correctly…
-
Thanks for confirming the pings, that makes sense. Still, I couldn't access any of the other protocols either, until I changed the VIP setting from 9 single addresses to 1 subnet based address. That's got it working for some… but my datacentre people are saying they've still got no ARP entries for a few of the addresses in that range.
Add to that, now in my NAT rules I can't select the individual IP addresses anymore, since I changed the VIP setting to network. If I modify the rules via XML I can set the individual address, but not in the GUI. Make sense?
-
Strange, unless it's a CARP cluster, I always use Proxy-ARP, and add the VIPs individually using 'single address'.
The VIPs are available via the pull-down when I'm creating port-forwards. Maybe back-up your running config, reset to defaults and try re-adding the VIPs? -
OK, so to make matters more strange, by the time I'd got back to my office from the datacentre, none of the IPs in the block I'd configured where working either. I removed the block, and added the individual Proxy ARP IPs as I'd done to begin with, but now they work. What the heck…
The only difference I can spot right now is that I've only specified 4 Virtual IPs, rather than my full block of 9. Maybe there's a limit?
-
I've got a box with a dozen VIPs on the WAN and another dozen on the OPT, so 9 shouldn't be a problem. They are all entered as single Proxy-arp.
-
OK, good. How about… I'm using 1.2 RC1. After I've changed the VIPs, I hit Apply, and on the reload Apply is still there. If I click it a second time, it goes for good; but if I don't bother clicking it a second time, the changes are still saved. Maybe it screws something up if you click it twice? (I stopped clicking it twice after some time).
I'm grasping at straws. I just need to know it's going to keep working :)
-
The box I have with all the VIPs is running 1.2 beta2, but I haven't heard of any recent issues with VIPs. I forget if beta 2 had the additional save button with the carp reboot warning…